Password and Access Control Policy Quiz

Password and Access Control Policy Document Control Summary

• The Password and Access Control Policy is designed to protect physical assets and sensitive information by implementing specific responsibilities, conditions, and practices.
• The policy satisfies certain requirements of the Payment Card Industry Data Security Standard (PCI DSS).
• The policy applies to all systems and assets owned, managed, or operated by the organization.
• The HR Role/Line Manager is responsible for informing IT of new employees, changes to access rights, and leavers, as well as reviewing access rights and job responsibilities.
• The Information Security Manager approves access requests, defines user groups and roles, and audits user and access lists.
• Systems Administrators must adhere to the policy when making changes to access privileges and ensure that systems enforce the policy configurations.
• User authentication is based on business needs and the principle of least privilege, with access granted based on job classification and function.
• Non-authenticated or shared user IDs are prohibited, and every user must have a unique user ID and personal secret password.
• Authentication mechanisms must be of appropriate strength and suited for the delivery channel.
• Secure mechanisms for authenticating users accessing servers remotely or at the console must be implemented.
• Web applications must implement secure user authentication mechanisms.
• Different authentication mechanisms are specified for voice, email, fax, white mail, remote access, and network devices.
• The policy also includes access control configurations for passwords, including requirements for uniqueness, length, complexity, history, lockout, and two-factor authentication for remote access.